Implement oidc

build.gradle

@@ -18,6 +18,7 @@ dependencies {
     implementation 'org.bouncycastle:bcprov-jdk18on:1.78.1'
     implementation 'com.github.FireMasterK.NewPipeExtractor:NewPipeExtractor:a64e202bb498032e817a702145263590829f3c1d'
     implementation 'com.github.FireMasterK:nanojson:9f4af3b739cc13f3d0d9d4b758bbe2b2ae7119d7'
+    implementation 'com.nimbusds:oauth2-oidc-sdk:11.20.1'
     implementation 'com.fasterxml.jackson.core:jackson-core:2.17.2'
     implementation 'com.fasterxml.jackson.core:jackson-annotations:2.17.2'
     implementation 'com.fasterxml.jackson.core:jackson-databind:2.17.2'

config.properties

@@ -89,3 +89,17 @@ hibernate.connection.password:changeme
 # Frontend configuration
 #frontend.statusPageUrl:https://kavin.rocks
 #frontend.donationUrl:https://kavin.rocks
+
+# SSO via OIDC
+# Each provider needs to have these three options specified. <NAME> is the
+# friendly name which will be shown to the clients and used in the database.
+# If you want to change the name later, you will have to update the database.
+#oidc.provider.<NAME>.clientId:example_piped_client_id
+#oidc.provider.<NAME>.clientSecret:example_piped_client_secret
+#oidc.provider.<NAME>.issuer:https://idm.example.com
+
+# Ask the provider to re-authenticate the user when account deletion is
+# requested. This field is optional and you should only set this to false
+# if your provider doesn't support the max_age parameter. You will know when
+# trying to delete an account.
+#oidc.provider.<NAME>.sendMaxAge = true

src/main/java/me/kavin/piped/Main.java

@@ -9,6 +9,7 @@
 import me.kavin.piped.utils.*;
 import me.kavin.piped.utils.matrix.SyncRunner;
 import me.kavin.piped.utils.obj.MatrixHelper;
+import me.kavin.piped.utils.obj.db.OidcData;
 import me.kavin.piped.utils.obj.db.PlaylistVideo;
 import me.kavin.piped.utils.obj.db.PubSub;
 import me.kavin.piped.utils.obj.db.Video;
@@ -253,5 +254,32 @@ public void run() {
             }
         }, 0, TimeUnit.MINUTES.toMillis(60));
 
+        new Timer().scheduleAtFixedRate(new TimerTask() {
+            @Override
+            public void run() {
+                try (StatelessSession s = DatabaseSessionFactory.createStatelessSession()) {
+
+                    var cb = s.getCriteriaBuilder();
+                    var cd = cb.createCriteriaDelete(OidcData.class);
+                    var root = cd.from(OidcData.class);
+                    cd.where(cb.lessThan(root.get("start"), System.currentTimeMillis() - TimeUnit.MINUTES.toMillis(3)));
+
+                    var tr = s.beginTransaction();
+
+                    var query = s.createMutationQuery(cd);
+
+                    int affected = query.executeUpdate();
+
+                    tr.commit();
+
+                    if (affected > 0) {
+                        System.out.printf("Cleanup: Removed %o orphaned oidc logins%n", affected);
+                    }
+                } catch (Exception e) {
+                    e.printStackTrace();
+                }
+            }
+        }, 0, TimeUnit.MINUTES.toMillis(5));
+
     }
 }

src/main/java/me/kavin/piped/consts/Constants.java

@@ -3,11 +3,15 @@
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.json.JsonMapper;
+import com.fasterxml.jackson.databind.node.ArrayNode;
 import com.fasterxml.jackson.databind.node.JsonNodeFactory;
 import com.fasterxml.jackson.databind.node.ObjectNode;
+import com.nimbusds.oauth2.sdk.GeneralException;
 import io.minio.MinioClient;
 import it.unimi.dsi.fastutil.objects.Object2ObjectOpenHashMap;
+import it.unimi.dsi.fastutil.objects.ObjectArrayList;
 import me.kavin.piped.utils.PageMixin;
+import me.kavin.piped.utils.obj.OidcProvider;
 import me.kavin.piped.utils.resp.ListLinkHandlerMixin;
 import okhttp3.OkHttpClient;
 import okhttp3.brotli.BrotliInterceptor;
@@ -21,8 +25,10 @@
 
 import java.io.File;
 import java.io.FileReader;
+import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import java.util.Properties;
 
@@ -103,6 +109,7 @@ public class Constants {
     public static String YOUTUBE_COUNTRY;
 
     public static final String VERSION;
+    public static final List<OidcProvider> OIDC_PROVIDERS;
 
     public static final ObjectMapper mapper = JsonMapper.builder()
             .addMixIn(Page.class, PageMixin.class)
@@ -170,12 +177,39 @@ public class Constants {
             MATRIX_SERVER = getProperty(prop, "MATRIX_SERVER", "https://matrix-client.matrix.org");
             MATRIX_TOKEN = getProperty(prop, "MATRIX_TOKEN");
             GEO_RESTRICTION_CHECKER_URL = getProperty(prop, "GEO_RESTRICTION_CHECKER_URL");
+
+            OIDC_PROVIDERS = new ObjectArrayList<>();
+
+            Map<String, Map<String, String>> oidcProviderConfig = new Object2ObjectOpenHashMap<>();
+            ArrayNode providerNames = frontendProperties.putArray("oidcProviders");
             prop.forEach((_key, _value) -> {
                 String key = String.valueOf(_key), value = String.valueOf(_value);
                 if (key.startsWith("hibernate"))
                     hibernateProperties.put(key, value);
                 else if (key.startsWith("frontend."))
                     frontendProperties.put(StringUtils.substringAfter(key, "frontend."), value);
+                else if (key.startsWith("oidc.provider")) {
+                    String[] split = key.split("\\.");
+                    if (split.length != 4) return;
+                    oidcProviderConfig
+                            .computeIfAbsent(split[2], k -> new Object2ObjectOpenHashMap<>())
+                            .put(split[3], value);
+                }
+            });
+            oidcProviderConfig.forEach((provider, config) -> {
+                try {
+                    OIDC_PROVIDERS.add(new OidcProvider(
+                            provider,
+                            getRequiredMapValue(config, "clientId"),
+                            getRequiredMapValue(config, "clientSecret"),
+                            getRequiredMapValue(config, "issuer"),
+                            getOptionalMapValue(config, "sendMaxAge", "true")
+                    ));
+                } catch (GeneralException | IOException e) {
+                    System.err.println("Failed to get configuration for '" + provider + "': " + e);
+                    System.exit(1);
+                }
+                providerNames.add(provider);
             });
             frontendProperties.put("imageProxyUrl", IMAGE_PROXY_PART);
             frontendProperties.putArray("countries").addAll(
@@ -220,4 +254,21 @@ private static String getProperty(final Properties prop, String key, String def)
 
         return prop.getProperty(key, def);
     }
+
+    private static String getRequiredMapValue(final Map<?, String> map, Object key) {
+        String value = map.get(key);
+        if (StringUtils.isBlank(value)) {
+            System.err.println("Missing '" + key + "' in sub-configuration");
+            System.exit(1);
+        }
+        return value;
+    }
+
+    private static String getOptionalMapValue(final Map<?, String> map, Object key, String def) {
+        String value = map.get(key);
+        if (StringUtils.isBlank(value)) {
+            return def;
+        }
+        return value;
+    }
 }

src/main/java/me/kavin/piped/server/ServerLauncher.java

@@ -15,14 +15,17 @@
 import me.kavin.piped.server.handlers.auth.FeedHandlers;
 import me.kavin.piped.server.handlers.auth.StorageHandlers;
 import me.kavin.piped.server.handlers.auth.UserHandlers;
+import me.kavin.piped.utils.ErrorResponse;
 import me.kavin.piped.utils.*;
+import me.kavin.piped.utils.obj.OidcProvider;
 import me.kavin.piped.utils.resp.*;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.hibernate.Session;
 import org.jetbrains.annotations.NotNull;
 
 import java.net.InetSocketAddress;
+import java.net.URI;
 import java.util.Objects;
 import java.util.concurrent.Executor;
 
@@ -258,6 +261,22 @@ AsyncServlet mainServlet(Executor executor) {
                     } catch (Exception e) {
                         return getErrorResponse(e, request.getPath());
                     }
+                })).map(GET, "/oidc/:provider/:function", AsyncServlet.ofBlocking(executor, request -> {
+                    try {
+                        String function = request.getPathParameter("function");
+                        OidcProvider provider = getOidcProvider(request.getPathParameter("provider"));
+                        if (provider == null)
+                            return HttpResponse.ofCode(500).withHtml("Can't find the provider on the server");
+
+                        return switch (function) {
+                            case "login" -> UserHandlers.oidcLoginRequest(provider, request.getQueryParameter("redirect"));
+                            case "callback" -> UserHandlers.oidcLoginCallback(provider, URI.create(request.getFullUrl()));
+                            case "delete" -> UserHandlers.oidcDeleteCallback(provider, URI.create(request.getFullUrl()));
+                            default -> HttpResponse.ofCode(500).withHtml("Invalid function `" + function + "`");
+                        };
+                    } catch (Exception e) {
+                        return getErrorResponse(e, request.getPath());
+                    }
                 })).map(POST, "/login", AsyncServlet.ofBlocking(executor, request -> {
                     try {
                         LoginRequest body = mapper.readValue(request.loadBody().getResult().asArray(),
@@ -469,6 +488,14 @@ AsyncServlet mainServlet(Executor executor) {
                     } catch (Exception e) {
                         return getErrorResponse(e, request.getPath());
                     }
+                })).map(GET, "/user/delete", AsyncServlet.ofBlocking(executor, request -> {
+                    try {
+                        String session = request.getQueryParameter("session");
+                        String redirect = request.getQueryParameter("redirect");
+                        return UserHandlers.oidcDeleteRequest(session, redirect);
+                    } catch (Exception e) {
+                        return getErrorResponse(e, request.getPath());
+                    }
                 })).map(POST, "/logout", AsyncServlet.ofBlocking(executor, request -> {
                     try {
                         return getJsonResponse(UserHandlers.logoutResponse(request.getHeader(AUTHORIZATION)), "private");
@@ -506,6 +533,15 @@ AsyncServlet mainServlet(Executor executor) {
         return new CustomServletDecorator(router);
     }
 
+    private static OidcProvider getOidcProvider(String provider) {
+        for (int i = 0; i < Constants.OIDC_PROVIDERS.size(); i++) {
+            OidcProvider curr = Constants.OIDC_PROVIDERS.get(i);
+            if (curr == null || !curr.name.equals(provider)) continue;
+            return curr;
+        }
+        return null;
+    }
+
     private static String[] getArray(String s) {
 
         if (s == null) {